Archive for the ‘Tips & Tricks’ Category

Although we’ve already embraced the EFS-encryption/decryption in some of our white papers and case studies, now we’d like to share a video tutorial because seeing once is better than hearing reading twice. So, in this video you will see how to decrypt EFS-encrypted data with help of Advanced EFS Data Recovery and how to recover Windows user account password with Proactive System Password Recovery (because it’s still obligatory for this type of encryption).

Advanced EFS Data Recovery (AEFSDR) is wholly dedicated to decryption of Windows EFS-encrypted files, however in order to decrypt the data the program still requires the user account password. Yeah, you might think at first that anyone can decrypt the data having user account password at hand, but no. You can’t. EFS encryption uses more than just logon password, nonetheless it’s the core ingredient in data decryption and so it must be provided.

If you forgot the logon password or didn’t know it at all Proactive System Password Recovery (PSPR) in its turn can help you acquire all system passwords once you can log into the system with administrator privileges. Exactly this example has been illustrated in our video (provide by Sethioz), here it is:

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source: https://www.apple.com/privacy/government-information-requests/)

In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.

Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.

Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.

With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.

Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.

Quite often our new customers ask us for advice about what they should start with in order to use the program effectively. In fact, there are various situations when the tool can come in handy by decrypting data securely protected with TrueCrypt, BitLocker (To-Go), or PGP and we’d need a super long video to describe all the cases. But we’d love to demonstrate one typical situation when disk is protected with TrueCrypt when entire system drive encryption option is on.

In this video, kindly provided by Sethioz, we suggest you to decrypt TrueCrypt whole system drive encryption using our Elcomsoft Forensic Disk Decryptor thoroughly going through all the stages starting from the very first one when you just got the encrypted hard drive on hands.

With encrypted hard drive in one hand and its memory dump in the other one (taken when encrypted disk was still mounted) we plug HDD into our “invesgitator’s” computer, start Elcomsoft Forensic Disk Decryptor and easily, in one slow motion, extract the encryption keys from the memory dump file and decrypt the protected HDD, either by mounting it into the “investigator’s” system (to be able to work with it on-the-fly) or by decoding the contents into a specified folder.

We hope you’ll enjoy this video and next time you have the necessity to decrypt something encrypted you’ll feel more confident about it. We also invite you to take a moment and share your experience here in comments or leave your question if you still have any after this pretty detailed video.

As you may already know, we have just updated our recently released forensic tool, Elcomsoft Phone Viewer. The update received a major performance boost and numerous usability enhancements.

So what’s the point of having a “yet another” mobile forensic tool? Aren’t there enough already? In fact, we considered making this tool for a long time, and were hesitant to make the move exactly because there are so many great forensic packages already. However, our customers kept asking for a lighter, smaller, faster and easier alternative to complement our existing tools. They cited how bulky those all-in-one forensic packages were, and mentioned training courses they had to take just to begin using those tools. Call it minimalism, but we made a tool that doesn’t require training sessions to use, and employs the same familiar user interface as other ElcomSoft tools. (more…)

I know most computer gurus and pros never read through program manuals or help files and prefer to learn everything using proverbial method of trial and error. Does this sound like you? Of course. Exceptions are very seldom. So, here’s something nice that will save your time and help your experience with Elcomsoft Wireless Security Auditor (EWSA).

In order to provide a quick but sufficient understanding how to effectively work with EWSA, our friend Sethios has prepared a nice 20-minute video tutorial that includes all steps of work with the program starting with acquiring handshakes and moving on through all following steps.

This video is packed with useful information, so go ahead and watch it now:

Was it helpful for your work? You are the judge. But we are always happy to hear from you. Your feedback is the reason we work harder on our software!

The information provided in this article is strictly for educational purposes. Therefore, you confirm that you are not going to use it to break into someone else’s Apple account. If you wish to apply ideas described in this article, you are taking full responsibility for your actions.

Nowadays, computer data is everywhere around and it’s growing at amazing speeds from hour to hour. It’s really fast, easy and convenient to stay active online day and night. No matter how easy it may be for the user, for computer crime investigators, on the contrary, it is the toughest challenge to collect and decrypt digital evidence. Even more important for them is to be able to evaluate a particular situation and understand what exactly they can collect, where it may be stored, how quickly and effectively they can get hands on it leaving the data intact and authentic in order to keep it still useful and trustworthy in court.

The crime scene has also moved or better to say spread from computers to mobile devices that can not only “carry” but also produce, process and transfer valuable information among other mobile devices or even into the cloud. This introduces another big challenge, which is tracing a connection between various electronic devices, collecting necessary information from them and gathering evidence into one case.

A successful completion of the investigation requires a well thought-out and structured incident response scenario and a whole arsenal of tools, techniques and methods at hand that could be implemented quickly and effectively.

Anyone considering the possibility to purchase Elcomsoft Distributed Password Recovery has a wonderful opportunity to explore the program together with Sethioz and get a clearer understanding of how the program works and what requires your special attention when you are using EDPR. This video assumes you are already familiar with basics of password cracking and suggests more information for your convenient work with the tool.

This is a very detailed tutorial showing how to prepare EDPR for work, which includes setting up connection between server and agents via local host or Internet, selecting the right IP address, paying attention to the fact that server’s and agent’s versions should be the same (users often neglect this fact), choosing a task, choosing the right attack options (they are all sufficiently explained), using side monitoring tools, checking your GPU temperature and utilization percentage on all connected computers and so on. So, let’s watch it now.

If you had any questions watching this video or would like to share your own experience using EDPR you are welcome to continue the topic here in comments.

If you care about password cracking, hardware acceleration or Wi-Fi protection this interview with our friend Sethioz is certainly for you. Being currently a freelance security tester Sethioz kindly shared his experience in cracking passwords using video cards, which in its turn derived from his gaming interest in cards. His personal experience may be very helpful to those whose concern about password cracking is not trivial.

How did it all start or what was the reason to try to find a Wi-Fi password?

There is no short answer to this, if there would be, I guess it would be “curiosity”. I think I got my first computer somewhere in 2002-2003 (my own PC) and ever since I’ve been interested in everything that is not “normal”, such as reverse engineering, debugging, hacking games, cracking password etc. (more…)

A Practical Guide for the Rest of Us

How many passwords does an average Joe or Jane has to remember? Obviously, it’s not just one or two. Security requirements vary among online services, accounts and applications, allowing (or disallowing) certain passwords. Seven years ago, Microsoft determined in a study that an average user had 6.5 Web passwords, each of which is shared across about four different websites. They’ve also determined that, back then, each user had about 25 accounts that required passwords, and typed an average of 8 passwords per day.

It didn’t change much in 2012. Another study determined that an average person has 26 online accounts, but uses only five passwords to keep them secure, typing about 10 passwords per day. CSID has a decent report on password usage among American consumers, discovering that as many as 54% consumers have five or less passwords, while another 28% reported using 6 to 10 passwords. Only 18% had more than 10 passwords. 61% of all questioned happily reuse their passwords over and over.

This obviously indicates a huge risk, making all these people susceptible to attacks on their passwords. Why do we have this situation, and what should one do to keep one’s life secure against hacker attacks? Let’s try to find out.

Passwords: Plagued with Problems

Passwords are the most common way of securing the many aspects of our lives. However, password-based protection is plagued with problems. Let’s have a look at why passwords are less than perfect when it comes to security. (more…)